Detect more

2022-10-18 10:08:34 -04:00 · 2022-10-18 10:08:34 -04:00 · 5839a20fb3
parent 0160d05ed3
commit 5839a20fb3
4 changed files with 48 additions and 1 deletions
--- a/detection/evasion/unexpected-hidden-system-folders.sql
+++ b/detection/evasion/unexpected-hidden-system-folders.sql
@ -1,9 +1,12 @@
 -- Find unexpected hidden directories in operating-system folders
 --
+-- references:
+--   * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
+--
 -- false positives:
 --   * unusual installers
 --
-- platform: linux
+-- platform: posix
 -- tags: persistent filesystem state
 SELECT
  file.path,
@ -29,6 +32,8 @@ WHERE
    OR file.path LIKE '/libexec/.%'
    OR file.path LIKE '/Library/.%'
    OR file.path LIKE '/sbin/.%'
+    OR file.path LIKE '/etc/.%'
+    OR file.path LIKE '/etc/%/.%'
    OR file.path LIKE '/sbin/%/.%'
    OR file.path LIKE '/tmp/.%'
    OR file.path LIKE '/usr/bin/.%'
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -1,5 +1,8 @@
 -- Pick out exotic processes based on their command-line (events-based)
 --
+-- references:
+--   * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
+--
 -- false positives:
 --   * possible, but none known
 --
@ -79,6 +82,7 @@ WHERE
    OR cmd LIKE '%xargs kill -9%'
    OR cmd LIKE '%nohup /bin/bash%'
    OR cmd LIKE '%echo%|%base64 --decode %|%'
+    OR cmd LIKE '%UserKnownHostsFile=/dev/null%'
    -- Crypto miners
    OR cmd LIKE '%c3pool%'
    OR cmd LIKE '%cryptonight%'
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -1,5 +1,8 @@
 -- Pick out exotic processes based on their command-line (events-based)
 --
+-- references:
+--   * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
+--
 -- false positives:
 --   * possible, but none known
 --
@ -79,6 +82,7 @@ WHERE
    OR cmd LIKE '%nohup /bin/bash%'
    OR cmd LIKE '%echo%|%base64 --decode %|%'
    OR cmd LIKE '%launchctl list%'
+    OR cmd LIKE '%UserKnownHostsFile=/dev/null%'
    -- Crypto miners
    OR cmd LIKE '%c3pool%'
    OR cmd LIKE '%cryptonight%'
--- a/detection/impact/evenly-timestomped.sql
+++ b/detection/impact/evenly-timestomped.sql
@ -0,0 +1,34 @@
+-- Files where the timestamp falls along 12-hour boundaries - probably caused by 'touch <date>0000'
+--
+-- false positives:
+--   * 1 in 43200 chance per binary
+--
+-- tags: persistent seldom filesystem
+-- platform: linux
+SELECT file.path,
+    DATETIME(file.mtime, 'unixepoch', 'localtime') AS mod_time,
+    DATETIME(file.atime, 'unixepoch', 'localtime') AS access_time,
+    file.inode,
+    hash.sha256,
+    magic.data
+FROM file
+    LEFT JOIN hash ON file.path = hash.path
+    LEFT JOIN magic ON file.path = magic.path
+WHERE (
+        file.path LIKE "/bin/%%"
+        OR file.path LIKE "/etc/%%"
+        OR file.path LIKE "/sbin/%%"
+        OR file.path LIKE "/lib/%%"
+        OR file.path LIKE "/usr/%%"
+    )
+    -- This timestamp is in UTC
+    AND file.mtime%3600 = 0
+    -- Narrow down to specific offsets in the users local timezone (there should be a better way!)
+    AND (
+        mod_time LIKE "% 12:00:00"
+        OR mod_time LIKE "% 00:00:00"
+    )
+    -- false positives
+    AND file.path NOT IN ('/etc/master.passwd')
+    AND file.path NOT LIKE '%/lynis%'
+    AND file.path NOT LIKE '%/yelp-xsl%'